From 4cc05f5eacb1417a3c37eff79a3fc72fea44e1fb Mon Sep 17 00:00:00 2001 From: root Date: Thu, 6 May 2021 12:18:42 +0200 Subject: [PATCH] Added sysadm docker & docker-compose scripts --- sysadm/01-sshd.conf | 20 +++++++++++++++++ sysadm/debian_docker_and_compose.sh | 18 +++++++++++++++ sysadm/debian_firewall.sh | 35 +++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 sysadm/01-sshd.conf create mode 100755 sysadm/debian_docker_and_compose.sh create mode 100755 sysadm/debian_firewall.sh diff --git a/sysadm/01-sshd.conf b/sysadm/01-sshd.conf new file mode 100644 index 0000000..a12df54 --- /dev/null +++ b/sysadm/01-sshd.conf @@ -0,0 +1,20 @@ +[DEFAULT] +# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s): +bantime = 600 + +# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds. +findtime = 60 +maxretry = 3 + +# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban +# will not ban a host which matches an address in this list. Several addresses +# can be defined using space (and/or comma) separator. For example, add your +# static IP address that you always use for login such as 103.1.2.3 +#ignoreip = 127.0.0.1/8 ::1 103.1.2.3 + +# Call iptables to ban IP address +#banaction = iptables-multiport + +# Enable sshd protection +[sshd] +enabled = true diff --git a/sysadm/debian_docker_and_compose.sh b/sysadm/debian_docker_and_compose.sh new file mode 100755 index 0000000..b00f4b8 --- /dev/null +++ b/sysadm/debian_docker_and_compose.sh @@ -0,0 +1,18 @@ +apt-get remove docker docker-engine docker.io containerd runc +apt-get install -y \ + apt-transport-https \ + ca-certificates \ + curl \ + gnupg-agent \ + software-properties-common +curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - +add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/debian \ + buster \ + stable" +apt-get update -y +apt-get install -y docker-ce docker-ce-cli containerd.io + +apt install python3-pip -y +pip3 install docker-compose + diff --git a/sysadm/debian_firewall.sh b/sysadm/debian_firewall.sh new file mode 100755 index 0000000..77d2a79 --- /dev/null +++ b/sysadm/debian_firewall.sh @@ -0,0 +1,35 @@ +apt install firewalld fail2ban -y +# Fixes bug in iptables 1.8 +echo "deb http://deb.debian.org/debian buster-backports main" > /etc/apt/sources.list.d/buster-backports.list +apt update +apt install -y iptables -t buster-backports + +#echo "Setting iptables to not use nf_tables" +update-alternatives --set iptables /usr/sbin/iptables-legacy +update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy +#update-alternatives --set iptables /usr/sbin/iptables-legacy + +echo "Setting docker to not open ports automatically..." +echo '{ "iptables": false }' > /etc/docker/daemon.json + +cp 01* /etc/fail2ban/fail2ban.d/ + +echo "Setting firewalld to use iptables..." +sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/g' /etc/firewalld/firewalld.conf + +rm -rf /etc/firewalld/zones/* +firewall-cmd --permanent --zone=public --change-interface=docker0 +firewall-cmd --permanent --zone=public --add-masquerade +# This assumes a typical port 22 for ssh. If not just set it here with --add-port +firewall-cmd --permanent --zone=public --add-service=ssh + +## OUTSIDE WORLD NEEDED PORTS FOR ISARDVDI WEB and VIEWERS +firewall-cmd --permanent --zone=public --add-port=443/tcp +firewall-cmd --permanent --zone=public --add-port=80/tcp + +## LETS RESTART EVERYTHING. +systemctl restart firewalld +systemctl stop docker +systemctl start docker +systemctl restart fail2ban +